Skip to content

Commit

Permalink
fix: add a maxOutputLength option to zlib inflate
Browse files Browse the repository at this point in the history
  • Loading branch information
panva committed Mar 7, 2024
1 parent d1be83f commit 02a6579
Show file tree
Hide file tree
Showing 4 changed files with 28 additions and 2 deletions.
2 changes: 2 additions & 0 deletions docs/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -1494,6 +1494,8 @@ operation.
Count) Header Parameter value. The PBKDF2 iteration count defines the algorithm's computational
expense.
**Default:** '10000'
- `inflateRawSyncLimit`: `number` Limits compressed JWE plaintext output size.
**Default:** '250000'
- `complete`: `<boolean>` When true returns an object with the parsed headers, verified
AAD, the content encryption key, the key that was used to unwrap or derive the content
encryption key, and cleartext instead of only the cleartext.
Expand Down
4 changes: 2 additions & 2 deletions lib/jwe/decrypt.js
Original file line number Diff line number Diff line change
Expand Up @@ -52,7 +52,7 @@ const validateAlgorithms = (algorithms, option) => {
/*
* @public
*/
const jweDecrypt = (skipValidateHeaders, serialization, jwe, key, { crit = [], complete = false, keyManagementAlgorithms, contentEncryptionAlgorithms, maxPBES2Count = 10000 } = {}) => {
const jweDecrypt = (skipValidateHeaders, serialization, jwe, key, { crit = [], complete = false, keyManagementAlgorithms, contentEncryptionAlgorithms, maxPBES2Count = 10000, inflateRawSyncLimit = 250000 } = {}) => {
key = getKey(key, true)

keyManagementAlgorithms = validateAlgorithms(keyManagementAlgorithms, 'keyManagementAlgorithms')
Expand Down Expand Up @@ -189,7 +189,7 @@ const jweDecrypt = (skipValidateHeaders, serialization, jwe, key, { crit = [], c
let cleartext = decrypt(enc, cek, base64url.decodeToBuffer(ciphertext), { iv, tag, aad: adata })

if (opts.zip) {
cleartext = inflateRawSync(cleartext)
cleartext = inflateRawSync(cleartext, { maxOutputLength: inflateRawSyncLimit })
}

if (complete) {
Expand Down
23 changes: 23 additions & 0 deletions test/jwe/sanity.test.js
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
const test = require('ava')
const crypto = require('crypto')

const base64url = require('../../lib/help/base64url')
const { JWKS, JWK: { generateSync }, JWE, errors } = require('../..')
Expand Down Expand Up @@ -616,3 +617,25 @@ if (!('electron' in process.versions)) {
}, { instanceOf: errors.JWEInvalid, message: 'JOSE Header "p2c" (PBES2 Count) out is of acceptable bounds' })
})
}

test('Compressed JWE output length limit', t => {
const k = generateSync('oct', 256)
{
const jwe = JWE.encrypt(crypto.randomBytes(250000), k, { alg: 'dir', enc: 'A128CBC-HS256', zip: 'DEF' })
t.notThrows(() => {
JWE.decrypt(jwe, k)
})
}
{
const jwe = JWE.encrypt(crypto.randomBytes(250000 + 1), k, { alg: 'dir', enc: 'A128CBC-HS256', zip: 'DEF' })
t.throws(() => {
JWE.decrypt(jwe, k)
})
}
{
const jwe = JWE.encrypt(crypto.randomBytes(1001), k, { alg: 'dir', enc: 'A128CBC-HS256', zip: 'DEF' })
t.throws(() => {
JWE.decrypt(jwe, k, { inflateRawSyncLimit: 1000 })
})
}
})
1 change: 1 addition & 0 deletions types/index.d.ts
Original file line number Diff line number Diff line change
Expand Up @@ -402,6 +402,7 @@ export namespace JWE {
contentEncryptionAlgorithms?: string[];
keyManagementAlgorithms?: string[];
maxPBES2Count?: number;
inflateRawSyncLimit?: number;
}

interface completeDecrypt {
Expand Down

0 comments on commit 02a6579

Please sign in to comment.